The CFPB issues new policy guidance on credit reporting and dispute resolution

On April 1, 2020, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) issued a non-binding general policy statement (“Policy Statement”) regarding the Fair Credit Reporting Act (FCRA) and Regulation V in light of the recently enacted Coronavirus Aid, Relief, and Economic Security Act (CARES Act).

The CFPB’s Policy Statement highlights furnishers’ responsibilities and informs consumer reporting agencies (“CRAs”) of the Bureau’s flexible supervisory and enforcement approach during this pandemic. The Bureau intends to consider the circumstances that entities face as a result of the COVID-19 pandemic and their good faith efforts to comply with statutory and regulatory obligations as soon as possible.

The Bureau believes that this flexibility will help furnishers and CRAs to manage the challenges of the current crisis. Below are examples of the flexibility the Bureau intends to provide in the consumer reporting system.

Furnishing consumer information impacted by COVID-19: The Bureau reiterates its prior guidance encouraging financial institutions to work constructively with borrowers and other customers affected by COVID-19 to meet their financial needs. While companies generally are not legally obligated to furnish information to CRAs, the Bureau encourages them to continue doing so despite the current crisis. Furnishers’ providing accurate information to CRAs produces substantial benefits for consumers, users of consumer reports, and the economy as a whole. The CARES Act, a section of which amends the FCRA, generally requires furnishers to report as current certain credit obligations for which furnishers make payment accommodations to consumers affected by COVID-19 who have sought such accommodations from their lenders. Many furnishers are or will be offering consumers affected by COVID-19 various forms of payment flexibility, including allowing consumers to defer or skip payments, as required by the CARES Act or voluntarily. Such payment accommodations will avoid the reporting of delinquencies resulting from the effects of COVID-19. The Bureau supports furnishers’ voluntary efforts to provide payment relief, and it does not intend to cite in examinations or take enforcement actions against those who furnish information to CRAs that accurately reflects the payment relief measures they are employing.

Disputes: The FCRA generally requires that CRAs and furnishers investigate disputes within 30 days of receipt of the consumer’s dispute. The 30-day period may be extended to 45 days if the consumer provides additional information that is relevant to the investigation during the 30-day period. The Bureau is aware that some CRAs and furnishers may face significant operational disruptions that pose challenges in the investigations. For example, some CRAs and furnishers may experience reductions in staff, difficulty in taking disputes, or lack of access to necessary information, rendering them unable to investigate the disputes within the timeframes the FCRA requires. Furnishers include a wide variety of businesses that vary in size and sophistication and can range from small retailers to very large financial services firms, each of which will face unique challenges due to the COVID-19 pandemic. In evaluating compliance with the FCRA as a result of the pandemic, the Bureau will consider a CRA’s or furnisher’s individual circumstances and does not intend to cite in an examination or bring an enforcement action against a CRA or furnisher making good faith efforts to investigate disputes as quickly as possible, even if dispute investigations take longer than the statutory timeframe. The Bureau reminds furnishers and CRAs that they may take advantage of statutory and regulatory provisions that eliminate the obligation to investigate disputes submitted by credit repair organizations and disputes they reasonably determine to be frivolous or irrelevant. The Bureau will consider the current constraints on furnishers’ and CRAs’ time, information, and other resources in assessing if such a determination is reasonable.

Regulatory requirements: The Policy Statement is a non-binding general statement of policy articulating considerations relevant to the Bureau’s exercise of its supervisory and enforcement authorities. It is therefore exempt from the notice and comment rulemaking requirements under the Administrative Procedure Act pursuant to 5 USC 553(b).

Resources for consumers and small businesses facing the impacts of the COVID-19 pandemic are available on the Bureau’s website at https://www.consumerfinance.gov/coronavirus/.

April 3rd, 2020|Guidence|

The EU-US Privacy Shield for transatlantic data transfers makes its debut

Announced on February 2, 2016 by the European Commission, the new political agreement called the Privacy Shield, reflects the requirements set out by the European Court of Justice in its ruling on October 6, 2015, which declared the old Safe Harbor privacy framework invalid.

The new arrangement calls for strong data privacy and security measures and robust enforcement of U.S. companies handling Europeans’ personal data, clear safeguards and transparency for U.S. government access, and effective protection of EU citizens’ rights with several redress possibilities.

The College of Commissioners is now preparing an adequacy decision regarding the Privacy Shield–the Article 29 Working Party (the “Working Party”), a data protection authority, is requesting that all documents be provided  by the end of February 2016 so that it can complete its assessment of the new framework at a special plenary meeting shortly thereafter. In a statement issued February 3, 2016, the Working Party provided some assurances that during this period of transition, transfer mechanisms, such as standard contractual clauses (which are data transfer agreements approved by the Commission) and binding corporate rules (generally described as internal data processing rules binding on all members of a global corporate group) to permit intragroup transfers of personal data) can still be used as transfer tools to the U.S.

Organizations that certified compliance under the Safe Harbor regime must continue to meet their obligations in connection with previously transferred personal data to avoid enforcement actions by the Commerce Department or the Federal Trade Commission, which consider the Safe Harbor as still binding. In the interim, implementing the above-mentioned clauses should also be considered to the extent they supplement the Safe Harbor platform. It appears that the Privacy Shield, at least initially, will rely significantly on the Safe Harbor framework, and it is likely that the Department of Commerce will offer a means for Safe Harbor certified organizations to transition to the Privacy Shield.

February 24th, 2016|Educational Series, European Union, Guidence|

Asset searches: who can get bank information and why

Accessing bank account information can be vitally important, particularly for those engaged in a lending transaction seeking to fulfill due diligence requirements. But getting your hands on the information can be a challenge.

Asset searches are not illegal. However, certain methods to obtain bank or investment account information can be, such as pretext calling. The simplest way to obtain financial information is via the account holder, a designated representative, or a party with a valid court order. The first two options are unlikely to be forthcoming. As for the third choice, obtaining a court order to access such information can be time-consuming and costly.

Access to financial information is regulated by both federal and state laws. For example, the Gramm-Leach-Bliley Act (GLBA) prohibits obtaining customer information from a financial institution under false pretenses and imposes an obligation on financial institutions to protect customer information. Generally, a “customer” is defined as an individual consuming goods or services for personal or household use, although some authorities have included sole proprietors, partnerships of five or fewer, and other small businesses to receive the same privacy protections. For businesses, the issue of data protection is governed by contract. While the consumer protection provisions of laws like the GLBA would not apply, it does not mean that financial institutions can freely share their information.

International asset searches present their own set of problems. Other countries – particularly those in the European Union – have strict data privacy laws that prohibit any access to personal information as well as the transfer of data across national borders. Federal law also comes into play, with the Foreign Corrupt Practices Act presenting potential liability issues if an entity searching for asset information obtained the information by illegal means (such as bribing a banking or government official).

What about judgments? While a judgment cannot by itself force a bank or brokerage firm to disclose account information, it allows a creditor to use the court to seize the debtor’s assets. With a judgment in hand, a creditor can file for an order of examination which will require the debtor to disclose – under oath – the location of assets, details about income, or other relevant information. However, the judicial process of obtaining a judgment reveals the intent of the creditor and can give the debtor time to empty an account or move assets prior to the court entering an order. Judgments can also be tricky to enforce. State law governs judgments with specifics varying in each jurisdiction. In California, a creditor must obtain a writ of execution directing a levying officer (usually a sheriff) to serve the writ on the named institution. The institution must then freeze the specific account(s) or, in certain situations, turn over the balance in the account. Serving a writ of execution in California was recently simplified to allow service on a “central location” designated by a bank with nine or more locations in the state or accept service at any branch without such a designated office.

Long-arm statutes can be used to reach accounts in a jurisdiction other than where the judgment originated. A debtor can object to the attempt and courts typically impose a test of whether the debtor or third party (like the bank or brokerage holding the assets) has connections with the court or creditor, which, at a minimum, can delay the process and make it more expensive.

For assets like stocks, bonds, and commodities, creditors can again obtain a court order that can liquidate the account into cash to be turned over to the creditor. It should be noted that certain types of accounts (notably retirement accounts) cannot be reached, even in cases of fraud. To preserve an account balance, a creditor can serve a levy on a brokerage in order to put a hold on the account while waiting for a court order.

Public records – ranging from property records to litigation – can also help locate or confirm a debtor’s assets. One important consideration: it is essential to vet any company that purports to be able to obtain financial account information. Many misleading claims and offers about obtaining such information can be found on the Internet and creditors should ensure that any data obtained was in accordance with applicable law and regulations.

February 23rd, 2015|Criminal Activity, Employment Decisions, Guidence|

Updated guide from the FTC: fighting identity theft with Red Flags Rule for businesses

On June 12, 2013, the Federal Trade Commission (the “FTC”) issued revised guidance designed to help businesses comply with the requirements of the Red Flags Rule, which protects consumers by requiring businesses to watch for and respond to warning signs or “red flags” of identity theft. The guidance outlines which businesses – financial institutions and some creditors – are covered by the Rule and what is required to protect consumers from identity theft.

The FTC enforces the Red Flags Rule with several other agencies. Its guide has tips for organizations under FTC jurisdiction to determine whether they need to design an identity theft prevention program, and can help businesses spot suspicious patterns and prevent the costly consequences of identity theft.

June 27th, 2013|Educational Series, Guidence|